Akamai has acquired Guardicore to extend its Zero Trust solutions and help stop ransomware. Read more

Dark background with blue code overlay

Blog

Security Trends to Address Now, on Our Way to the Metaverse

Jonathan Singer

Written by

Jonathan Singer

December 28, 2021

metaverse.png

The metaverse. It’s kind of a big deal. It’s even hit the point where major news outlets are writing about it. But what is it? And why should a CSO care about it?

The metaverse is essentially the next iteration of the internet. And while the mainstream press might say that no one knows what it will look like, that’s only partially true. There are plenty of people who know what pieces of it will look like, because they’re building them now. And there are plenty of others with a fairly solid vision for what it has to look like in order to function.

To get a sense of it, think about the show Alter Ego, a talent competition (à la “The Voice”) that allows people who feel encumbered by their physical appearance to sing “behind” their avatar. It is — let’s face it — pretty cool. And it gives us a glimpse into what the metaverse will feel like. As Wired’s Kevin Kelly wrote in a story about it back in 2019: “when [the metaverse] is complete, our physical reality will merge with the digital universe.”

Matthew Ball is a venture capitalist (an oversimplification if I’ve ever written one), and he has written an extensive primer and framework for the metaverse. I’ll quote him here:

“The Metaverse is an expansive network of persistent, real-time rendered 3D worlds and simulations that support continuity of identity, objects, history, payments, and entitlements, and can be experienced synchronously by an effectively unlimited number of users, each with an individual sense of presence.”

I’ve broken down this definition to assemble some of the challenges we can expect the metaverse to deliver for CSOs and their teams. 

Definition

Challenges

The Metaverse is an expansive network

authentication, access policies, malware, encryption and secure traffic, DNS security, web app attacks

of persistent,

uptime, DDoS attacks, flash crowds

real-time

security vs. performance trade-offs, API security, stream protection, anti-piracy

rendered 3D worlds and simulations

fraud, physical/access security, hardware/IoT security, content integrity

that support continuity of identity,

secure registration, credential provisioning, authorization

objects,

encryption, PII, fraud prevention, intellectual property rights

history, 

PII, encryption

payments, 

PII, encryption, fraud prevention, PCI compliance, tokenization, payment risk

and entitlements,

encryption, PII, fraud prevention, intellectual property rights, payment security

and can be experienced synchronously by an effectively unlimited number of users, each with an individual sense of presence.”

flash crowds, MFA, security at scale

(Apologies to Matthew…)

This exercise is a bit tongue-in-cheek, of course, but the point is that the advent of the metaverse is going to greatly expand the threat landscape. So imagine the metaverse is more than a creative exercise for security leadership. It’s the future — a future you ideally need to start planning for now.

Gaming security offers insight to the metaverse

To prepare for the metaverse, and everything that comes between then and now, we recommend that all CSOs, regardless of industry, become familiar with the audience and security challenges of the gaming industry.

Gaming is already providing and influencing a significant portion of the metaverse’s foundational technology. Beyond technology, its business models are likewise being adapted and leveraged across industries. The video, music, sports, fitness, medicine, and industrial training industries (among others) are already borrowing from gaming, making it a useful microcosm of what is to come in the metaverse.

The gaming industry tends to concern itself with four major buckets of security problems:

1. Account takeover

2. Intellectual property theft (data exfiltration)

3. Cheating

4. Uptime threats (DDoS, etc.)

Here, we’ll focus on account takeover, as it provides a useful illustration of security trends to watch between now and the metaverse. At Akamai, we have strong visibility into the problems in the gaming space. I’ve authored a piece on how and why criminals attack the gaming industry, and my colleagues at Akamai have authored two recent “State of the Internet” reports on gaming security: You Can’t Solo Security and Gaming in a Pandemic. Each of these examines several aspects of what it takes to keep systems online and running despite the relentless efforts of attackers. You Can’t Solo Security also features results of a survey of hard-core players, which Akamai undertook in partnership with the international gaming conference organization DreamHack (now ESL Gaming) to better understand how players feel about the security of their games and how much personal responsibility they believe is warranted when it comes to securing their own gaming accounts. Key findings include:

  • Criminals are in it for the money (obvi!), and the value often isn’t in PII — it’s in the account itself. This is an important point that will be important in the metaverse as well. Ten years ago, the primary value of any account was in credit card numbers, and any information that could help a criminal get into a bank account. Now the accounts themselves have value in the form of a player’s time and in-game items. Accounts that have put in time playing and racked up gear can allow purchasers of stolen accounts to play at a high level without putting in the effort. In-game goods can also be sold in third-party markets for real cash. This form of virtual value is already being reflected in the investment community with people buying up NFTs. As the world, and your business, move toward operating in the metaverse, securing accounts and access will continue to be a top priority.

  • Criminals are highly focused on industries such as gaming, where the user community has disposable income and frequently makes transactions. Gaming is under constant assault. In the past year, we’ve seen web attacks grow by 340% and credential attacks increase by 224%. These credential stuffing campaigns are often successful. We learned from our DreamHack/ESL survey of 1,253 hard-core gamers (81% play games every day) that 52% have had at least one of their accounts hacked, and 70% have come across hacked accounts being sold online. Consider the state of gaming accounts here to be a bellwether for the treatment of future metaverse accounts across a variety of industries and services.

  • Customers want help from you. Our survey with DreamHack/ESL also revealed that 76% of respondents felt that gaming companies were responsible for account security. However, it was a multiple-choice question: 67% of those same respondents indicated that they, the players, should be responsible as well. As every company moves to do business in the metaverse, partnership with your users and employees around account security will become a larger part of the customer experience and the brand relationship, expanding security’s role in the enterprise. 

As we move into the metaverse, your organization’s attack surface will grow by levels of magnitude. To keep that “other world” turning, security strategies will need to better align across industries, and competitors and their security vendors may all need to partner to keep users’ account information secure. In the meantime, security leaders who deeply examine the current state of their account security practices and consider new ways to partner with and train their users will be best prepared to manage the other complexities yet to come. 

Read more about what Akamai helps make possible in the gaming industry.

 



Jonathan Singer

Written by

Jonathan Singer

December 28, 2021